Boots has suspended payments using Advantage Card payments following an attempt to break into customers’ accounts using stolen passwords. While the company stated that its systems had not been compromised, attackers had reportedly tried to access accounts using reused passwords from other sites. This comes just days after Tesco announced it was issuing new Clubcards to 600,000 account holders as a precaution after discovering that a database of stolen usernames and passwords gathered from other platforms had been tested on its websites.
With the security risks posed by databases containing passwords and usernames back in the headlines, Nic Sarginson Senior Solutions Engineer UKI&RSA at Yubico, the leading provider of hardware authentication security keys, has made the following comments:
“We’ve known for some time about the risks posed by databases containing usernames and passwords. Not only is this combination woefully ineffective as a standalone method of authentication, the security risks are also compounded by the fact that these databases have become prime targets for cyber criminals to exploit. Brute-force attacks, in which these details are stolen and used against a host of other sites, unfortunately often prove successful given that so many consumers re-use credentials across multiple accounts. In fact, our own research recently found that while protecting customer information and personally identifiable information (PII) is a top priority for IT professionals, 62% have reported that customer accounts have been subject to an account takeover.
“It’s time to reduce our collective reliance on inconvenient and insecure passwords, instead encouraging consumers to use two-factor authentication (2FA) at a minimum. However, we can’t ignore the well-known vulnerabilities with basic 2FA – such as SMS OTP one time password (OTP) spoofing – which means embracing new standards such as WebAuthn, which offers proven levels of protection, while also looking to more sophisticated forms of technology such as biometrics. The onus must not just be on consumers to get this right; it’s essential that organisations take responsibility for making use of modern authentication technologies that will help protect their customers and internal systems.”